Jul 21 2022 06:03 AM
Jul 21 2022 06:03 AM
Within InTune, you can only enroll a corporately owned work profile or corporately owned full managed from a reset and a QR Code token. However, with a personally owned Android, it doesn't seem to follow the compliance and configuration profiles I have setup.
I have a user that is not assigned to any of the groups I have in any of the compliance and configuration profiles in InTune (I have one each per enrollment type) so one user can only enroll 1 type depending on what group they are in.
So not only did it let this user log into the company portal, it installed the work and personal spaces on the device, it installed all of the work apps and I can use all of the work apps like Outlook without issue.
The device shows a red exclamation mark in the company portal and it shows in InTune as non compliant but everything works fine.
These bunch of users are NOT a member of the conditional access policy I have setup to block all of these apps because we have some users that will NEVER enroll their devices in InTune because of their role (they own the company) so they do not want restrictions.
We will also have users that we will not license with a P1 so can't assign them to that CA policy anyway.
Is there really no way to prevent anyone that has a Business Premium license from adding their phone into InTune?
Jul 21 2022 07:00 AM
Jul 22 2022 05:04 AM
Hio @luvsql! It sounds like you have not configured any device platform restrictions. This is where you would configure policies that dictate which users can and cannot enroll personally owned devices.
Take a look at your policies under Devices > Enroll devices > Enrollment device platform restrictions. You'll find four tabs in the top, allowing you to create restrictions per device platform (Android, Windows, macOS, iOS).
There will already be a restriction with "Default" priority, assigned to "All users" . This one is always active and will be applied unless a restriction with a higher priority overrules it. Kind of like a final "deny all" firewall rule, except that this one says "allow all".
You can create additional restrictions, with higher priorities for specific user groups. Inside such a restriction, you can also define if you want to allow enrollment of personally-owned devices.
In your specific case, you'll want to block this in the "Default" restriction and then allow it again, for specific users, in an additional restriction. Remember: this works per device platform, so make sure you create restrictions for all of them.
That should do the trick.